I use logstash to collect logs into elasticsearch. I'm creating grok filters for some logs by testing them on this link:
http://grokconstructor.appspot.com/do/match#result
I have a problem with $ character. The bad thing is you cannot know if there will be a $ character inside the log or not.
An example log:
[8/11/15 10:34:47:047 EEST] 0000003b MbuRmmAdapter I DCSV1032I: DCS Stack DefaultCoreGroup at Member TEST\G
The filter which successfully works for that log:
\[%{DATESTAMP:datestamp}\s(?<tzone>.*)\]\s(?<threadid>[\w]{8})\s%{WORD:logshortname}\s+(?<eventtype>[\w]{1})\s(?<msg>.*)
But if we put a $ inside MbuRmmAdapter word like that MbuRmm$Adapter, the debugger will say that the part after $ does not match with the filter.
What can I do?
Simply use the DATA pattern instead of the WORD pattern for your logshortname field and it should work just fine:
\[%{DATESTAMP:datestamp}\s(?<tzone>.*)\]\s(?<threadid>[\w]{8})\s%{DATA:logshortname}\s+(?<eventtype>[\w]{1})\s(?<msg>.*)
You can check out a definition of all the predefined grok patterns here: https://github.com/elastic/logstash/tree/v1.4.2/patterns